300,000 Servers Still Vulnerable to Heartbleed Vulnerability After One Month

It’s more than a month since we all were warned of the critical OpenSSL Heartbleed vulnerability, but that doesn't mean it disappeared. The critical bug compromised many popular websites and after been discovered the problem was solved. But is that so?

No, not at all! A recent finding from the security researcher Robert David Graham claims that there are still more than 300,000 servers apparently remain vulnerable to the most critical OpenSSL bug, Heartbleed, which is admittedly down in numbers from the previous which resulted in over 600,000 systems a month ago.

Graham announced on the Errata Security blog that he arrived at the number through a recently done global internet scan (or at least the important bits: port 443 of IPv4 addresses), which reveals that exactly 318,239 systems are still vulnerable to the OpenSSL Heartbleed bug and over 1.5 million servers still support the vulnerable "heartbeat" feature of OpenSSL that allowed the critical bug.

“The numbers are a little strange. Last month, I found 28-million systems supporting SSL, but this month I found only 22-million. I suspect the reason is that this time, people detected my Heartbleed "attacks" and automatically firewalled me before the scan completed. Or, another problem is that I may have more traffic congestion at my ISP, which would reduce numbers. (I really need to do a better job detecting that),” Graham wrote in the blog post.

Heartbleed is a critical bug in the popular OpenSSL cryptographic software library that actually resides in the OpenSSL's implementation of the TLS (transport layer security protocols) and DTLS (Datagram TLS) heartbeat extension (RFC6520).

The count may be even larger as these mentioned number counts are only the confirmed cases. Graham may have escaped other systems either because of spam blocking or unorthodox OpenSSL setups. But it’s really shocking that after availability of Heartbleed fixes, this number has come up.

“Last month, I found 1-million systems supporting the "heartbeat" feature (with one third patched). This time, I found 1.5-million systems supporting the "heartbeat" feature, with all but the 300k patched. This implies to me that the first response to the bug was to disable heartbeats, then later when people correctly patched the software, heartbeats were re-enabled. Note that only OpenSSL supports heartbeats, meaning that the vast majority of SSL-supporting servers are based on software other than OpenSSL,” he wrote.

Since is/t was brought to our attention three months ago, Heartbleed made countless headlines due to the severe dangers it poses. The vulnerability, which affects systems using the OpenSSL library, allows hackers to penetrate affected servers without leaving any trace of their actions behind. Its severity would lead us to assume the people responsible to prevent it from making any (more) damage have already taken all the necessary precautions in this direction.

And, indeed, popular service providers have been quick to address the problem, with the likes of Google, Facebook and Microsoft publicly stating whether the vulnerability could affect their products and users, and issuing patches were needed. This has given us a false sense of security, knowing that the worst has passed. Yet, even today, Heartbleed can still do quite a bit of damage.

A study of the public-facing web servers run by some of the world's largest firms has suggested only three per cent of the machines have been fully protected against the OpenSSL vulnerability known as Heartbleed.

The research, carried out by security specialists at Venafi Labs, examined 550,000 servers belonging to 1,639 companies on the Forbes top Global 2000 list, and showed that 99 per cent of the companies checked had patched the data-leaking Heartbleed flaw.